Pages

Tuesday, May 21, 2013

Practical Tips to Improve Network Security with What You Already Have: Part 1 of 2

I think we as security experts need to stop focusing on who or what
will attack us and start acting like we’re already owned. If we just
started thinking in terms of “I’m already compromised” the
security and monitoring of your network and systems would improve
drastically. The initial fear of security experts was of being hacked or
compromised, but in reality this is happening everyday while you’re on
the clock. If you’ve ever had malware infect a workstation you’ve been
breached. This is just a small example, but it’s true. There are two
types of security professionals:

Those that know they’ve been breached.

Those who’ve been breached, but don’t know it.

With this being said, we need to start focusing on extrusion
detection (coined by Richard Bejtlich, @taosecurity) as well as
intrusion detection. We speak about security in layers a lot and this is
just another way to detect threats. The problem is that often we
immediately jump to shiny new objects out there such as Data Loss
Prevention (DLP), Next-Generation Firewalls, SIEM, etc. to get the job
done. While these are all helpful tools that can certainly improve your
ability to monitor for the exfiltration of nefarious traffic, there are
things you can do immediately to improve your security posture.

Log for Certain Alerts
There are certain alerts on your domain or network that you know
right off the bat are bad news. These alerts should be caught and
notified on right away. There are many tools that will do this for you,
like SIEM, but you still need to know what you’re looking for. If you
don’t currently have a SIEM, you can setup similar alerts to warn you of
malicious behavior. Here some examples:

Setup an alert every time the “Domain Admin Group” has a change made
to it. If you’re a smaller company there should be a darn good reason
this group’s just experienced a change. One of the things a bad guy
want’s is complete control, and if he’s already gotten this far it may
be too late, but it might give you the time needed to shut things down
and save your data from leaving.

Setup fake accounts that you think hackers will try and access. An
example of this is an account named “administrator” in Active Directory.
I’m assuming and hoping that you’ve already renamed the original one.
On this account you can set the lockout threshold really low and alert
every time someone logs into it improperly. In this example if a bad
guys looking for low hanging fruit he’s going to tip you off right away.